EP4033319A1 - Procédé mis en uvre par ordinateur et dispositif de résolution de boucles fermées en analyse arborescente automatique des défaillances d'un système à plusieurs composants - Google Patents

Procédé mis en uvre par ordinateur et dispositif de résolution de boucles fermées en analyse arborescente automatique des défaillances d'un système à plusieurs composants Download PDF

Info

Publication number
EP4033319A1
EP4033319A1 EP21152987.0A EP21152987A EP4033319A1 EP 4033319 A1 EP4033319 A1 EP 4033319A1 EP 21152987 A EP21152987 A EP 21152987A EP 4033319 A1 EP4033319 A1 EP 4033319A1
Authority
EP
European Patent Office
Prior art keywords
fault tree
boolean
failure propagation
loop
component system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP21152987.0A
Other languages
German (de)
English (en)
Inventor
Jonathan MENU
Francesco Montrone
Amr Hany Saleh
Marc Zeller
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Priority to EP21152987.0A priority Critical patent/EP4033319A1/fr
Priority to CN202280011168.5A priority patent/CN116802578A/zh
Priority to US18/272,780 priority patent/US20240118686A1/en
Priority to EP22701334.9A priority patent/EP4260152A1/fr
Priority to PCT/EP2022/050607 priority patent/WO2022157062A1/fr
Publication of EP4033319A1 publication Critical patent/EP4033319A1/fr
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0218Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults
    • G05B23/0243Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model
    • G05B23/0245Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model based on a qualitative model, e.g. rule based; if-then decisions
    • G05B23/0248Causal models, e.g. fault tree; digraphs; qualitative physics
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0259Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
    • G05B23/0275Fault isolation and identification, e.g. classify fault; estimate cause or root of failure
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/20Design optimisation, verification or simulation

Definitions

  • the present invention pertains to a computer-implemented method for resolving closed loops in automatic fault tree analysis of a multi-component system.
  • the present invention further pertains to a device comprising a processor configured to perform such a method.
  • the present invention relates to a. Further, the invention relates to a corresponding computing unit and a corresponding computer program product.
  • safety-critical systems in many application domains of embedded systems, such as aerospace, railway, health care, automotive and industrial automation is continuously growing.
  • the aim of safety assurance is to ensure that systems do not lead to hazardous situations which may harm people or endanger the environment.
  • the safety assurance is defined by the means of standards, see, e.g., International Electrotechnical Commission (IEC) 61508, “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems," 1998 .
  • IEC International Electrotechnical Commission
  • FMEA Failure Mode and Effect Analysis
  • IEC 60812 "Analysis Techniques for System Reliability - Procedure for Failure Mode and Effects Analysis (FMEA),” 1991 .
  • FMEA Fault Tree Analysis
  • the assessment of a system according to reference implementations is based on top-down approaches such as Fault Tree Analysis (FTA), see, e.g., Vesely et al., "Fault Tree Handbook," US Nuclear Regulatory Commission, 1981 .
  • Closed-loop control refers to the process in which a physical variable, e. g., an ambient temperature, is to be brought to a particular value while being stabilized against disturbances.
  • a feedback - obtained based on measuring an observable indicative of the physical variable - is used to set operation of an actuator influencing the physical variable.
  • the controller is the component that acquires the actual value and derives a control signal from the difference between the set point and actual value.
  • the controller then activates a final controlling element, e. g., a heater, that compensates for the control deviation.
  • Boolean logic e.g., to drive a fault tree (FT), (closed) loops or ring closures are problematic.
  • Boolean logic cannot contain loops in general, there are techniques to prevent loops in such models, e.g., as described in Höfig et al., "Streamlining Architectures for Integrated Safety Analysis Using Design Structure Matrices (DSMS),” Safety and Reliability: Methodology and Applications, 2014 .
  • DSMS Design Structure Matrices
  • Such loops often cannot be prevented, as they simply develop during the composition of a system from existing components and existing parts of failure propagation models. Therefore a technique is required that is able to deal with loops in failure propagation models that use Boolean logic.
  • This problem is according to one aspect of the invention solved by a computer-implemented method for resolving closed loops in automatic fault tree analysis of a multi-component system, the method comprising the steps:
  • a fault tree or failure propagation paths within the fault tree may be regarded as some form of equation or system of coupled equations.
  • the present invention now considers Boolean TRUE as starting value to all failure propagation paths where a closed loop has been discovered, such closed loops being found by iteratively going through the fault tree from the output to one or more inputs. Based on that, certain properties of the fault tree are evaluated and the fault tree is amended in a specific way to remove any closed loop present in the fault tree. Subsequently, Boolean FALSE is inserted as second starting value to render the remaining fault tree analyzable.
  • the method according to the invention results in a lower bound for the fault tree analysis. This means that the result of the Fault Tree analysis is either equal or larger the exact result of the fault tree.
  • the solution according to the invention is highly effective compared to conventional methods.
  • the method of the invention particularly features linear complexity O(n) and thus is much faster than any method known so far.
  • the method may enable automatized optimization of technical products and/or systems with regards to reliability, availability, maintainability and/or safety (RAMS requirements). Moreover, such RAMS requirements may be taken into consideration for the optimization of further technical system properties like for example efficiency and so on.
  • the invention particularly provides an advanced technique for analyzing safety-critical systems.
  • the closed loop of the fault tree is associated with a closed-loop control circuitry of the multi-component system.
  • a further aspect of the invention is a device comprising a processor configured to perform the aforementioned method.
  • FT fault trees
  • the techniques described herein may find application in various kinds and types of safety-critical systems.
  • the techniques described herein may find application in multi-component system, e.g. control or actuator systems.
  • control or actuator systems may provide control functionality or activation functionality for certain machines.
  • Some elements of multi-component safety-critical systems may be implemented as hardware while some components may alternatively or additionally be implemented using software. It is possible that the safety-critical systems for which the techniques are employed include an output which provides an actuator force or a control signal for actuating or controlling one or more machines.
  • safety-critical systems which may benefit from the techniques described herein include, but are not limited to, electronic circuitry including active and/or passive electronic components such as transistors, coils, capacitors, resistors, etc.; drivetrains for vehicles such as trains or passenger cars or airplanes; assembly lines including conveyor belts, robots, movable parts, control sections, test sections for inspecting manufactured goods (backend testing); medical systems such as imaging systems including magnetic resonance imaging or computer tomography, particle therapy systems; power plants; etc.
  • electronic circuitry including active and/or passive electronic components such as transistors, coils, capacitors, resistors, etc.
  • drivetrains for vehicles such as trains or passenger cars or airplanes
  • assembly lines including conveyor belts, robots, movable parts, control sections, test sections for inspecting manufactured goods (backend testing)
  • medical systems such as imaging systems including magnetic resonance imaging or computer tomography, particle therapy systems; power plants; etc.
  • FTs may be used.
  • An example implementation of a FT that may be relied upon in the techniques described herein includes a component FT (CFT).
  • CFT component FT
  • various examples are described in the context of CFTs - while, generally, also a FT may be employed.
  • the error behavior of the system may be modeled by the CFT using approaches of hierarchical decomposition.
  • the overall behavior of the system can be predicted based on the individual behavior of components.
  • the causal chain leading to an overall system behavior may be modeled by a causal chain of errors of components.
  • the CFT may include Boolean interconnections between adjacent elements to model propagation of errors throughout the system.
  • the CFT may model the system using a graph; here nodes of the graph may correspond to the elements and edges of the graph may correspond to the interconnections.
  • CFTs modeling a system using Boolean logic expressions can malfunction if they include closed loops and/or ring closures.
  • a closed loop may generally be present if an input value of an element of the CFT is derived from an output having an associated Boolean logic expression, which includes that input value.
  • Figure 1 shows a device 10 with a processor 6 performing a method M according to the invention for resolving closed loops in automatic fault tree analysis of a multi-component system (not depicted).
  • the multi-component system may be, for example, a safety critical system or the like, which may comprise closed-loop control circuitry of a closed-loop controller (PID).
  • PID may for example be configured to control a component of the multi-component system on basis of a closed control loop.
  • the PID may for example control a physical variable like a temperature, a pressure, a force and so on.
  • the method M will be explained in detail with reference to Figs. 2 to 4 for one particular example of a fault tree 1.
  • the fault tree 1 models a multi-component system and comprises a plurality of elements 4 associated with components of the multi-component system and interconnections 2 between the elements 4 associated with functional dependencies between the components. Accordingly, the method M comprises under M1 modeling the multi-component system using the fault tree 1.
  • the fault tree 1 comprises one output element 4a and four input elements 4b.
  • the method M further comprises under M2 back-tracing failure propagation paths 11 from the output element 4a of the fault tree 1 via the interconnections 2 towards the input elements 4b of the fault tree 1.
  • This back-tracing is illustrated in Fig. 3 , where it can be seen that the fault tree 1 is basically decomposed into two failure propagation paths 11, each of which features one closed loop 7. Or, to describe it differently, the fault tree 1 is "unrolled".
  • the interconnection of each loop 7 to the respective failure propagation path 11 is labeled ⁇ i in the following.
  • the failure propagation path 11 on the left in Fig. 3 has one closed loop 7 connecting one input of element X 6 with the output of element X 2 at loop interconnection ⁇ 1 .
  • the failure propagation path 11 on the right in Fig. 3 has one closed loop 7 connecting one input of element X 5 with the output of element X 3 at loop interconnection W 2 .
  • Such loop-causing gates may be identified in a general manner by checking for all failure propagation paths 11 if the respective failure propagation path 11 contains a downstream element 4d having a dependency of its output value on an output value of an upstream element 4c of the failure propagation path 11.
  • the method M comprises under M3 checking, for all failure propagation paths 11, if the respective failure propagation path 11 contains a closed loop 7 by identifying a downstream element 4d of the respective failure propagation path 11 having a dependency of its output value on an output value of an upstream element 4c of the failure propagation path 11.
  • the method M removes these two closed loops 7 in the fault tree 1.
  • the method M comprises under M4 setting the input value corresponding to the loop interconnection ⁇ i of each such downstream element 4d to Boolean TRUE. Or, in other words, the problematic element turning up in a corresponding Boolean expression at this point is replaced by the expresson ⁇ i .
  • the method comprises under M5 identifying any Boolean AND-gate 3a having, independently of the specific values of the input elements 4b, not Boolean TRUE as output. With reference to Fig. 4 , it can be seen that two AND-gates 4da can be found that fulfill these criteria and, thus, two Boolean AND-gates 4da are identified.
  • the method M further comprises under M5 cutting off any Boolean TRUE input to the identified Boolean AND-gate 3a remaining between the respective downstream element 4d and the upstream element 4c.
  • the method M comprises under M6 setting the input value of each respective downstream element 4d corresponding to the loop interconnection ⁇ i to Boolean FALSE.
  • the loop interconnections ⁇ i are cut off anyway, hence this method step has no consequence (cf., however, the examples in Figs. 5 to 8 ).
  • the fault tree 1 in Fig. 2 can now be evaluated, that is, it can be iteratively expanded into definite Boolean expressions at the elements 4, proceeding from the output element 4a via the interconnections 2 towards the input elements 4b or vice versa.
  • the fault tree 1 thus can be expressed as: b 1 ⁇ g 1 ⁇ g 2 ⁇ b 2 ⁇ b 2 ⁇ g 2 ⁇ b 1 ⁇ g 1
  • the method can be used to determine the lower bound for the fault tree analysis.
  • step M5 can be modified as follows:
  • the upper bound and lower bound accordingly, two bounds, can be used to judge the fault tree analysis result.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Test And Diagnosis Of Digital Computers (AREA)
EP21152987.0A 2021-01-22 2021-01-22 Procédé mis en uvre par ordinateur et dispositif de résolution de boucles fermées en analyse arborescente automatique des défaillances d'un système à plusieurs composants Withdrawn EP4033319A1 (fr)

Priority Applications (5)

Application Number Priority Date Filing Date Title
EP21152987.0A EP4033319A1 (fr) 2021-01-22 2021-01-22 Procédé mis en uvre par ordinateur et dispositif de résolution de boucles fermées en analyse arborescente automatique des défaillances d'un système à plusieurs composants
CN202280011168.5A CN116802578A (zh) 2021-01-22 2022-01-13 用于解决多组件系统的自动故障树分析中的闭合环路的计算机实现方法和设备
US18/272,780 US20240118686A1 (en) 2021-01-22 2022-01-13 Computer-implemented method and device for resolving closed loops in automatic fault tree analysis of a multi-component system
EP22701334.9A EP4260152A1 (fr) 2021-01-22 2022-01-13 Procédé et dispositif mis en oeuvre par ordinateur pour résoudre des boucles fermées dans une analyse automatique par arbre de défaillances d'un système à plusieurs composants
PCT/EP2022/050607 WO2022157062A1 (fr) 2021-01-22 2022-01-13 Procédé et dispositif mis en œuvre par ordinateur pour résoudre des boucles fermées dans une analyse automatique par arbre de défaillances d'un système à plusieurs composants

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP21152987.0A EP4033319A1 (fr) 2021-01-22 2021-01-22 Procédé mis en uvre par ordinateur et dispositif de résolution de boucles fermées en analyse arborescente automatique des défaillances d'un système à plusieurs composants

Publications (1)

Publication Number Publication Date
EP4033319A1 true EP4033319A1 (fr) 2022-07-27

Family

ID=74215708

Family Applications (2)

Application Number Title Priority Date Filing Date
EP21152987.0A Withdrawn EP4033319A1 (fr) 2021-01-22 2021-01-22 Procédé mis en uvre par ordinateur et dispositif de résolution de boucles fermées en analyse arborescente automatique des défaillances d'un système à plusieurs composants
EP22701334.9A Pending EP4260152A1 (fr) 2021-01-22 2022-01-13 Procédé et dispositif mis en oeuvre par ordinateur pour résoudre des boucles fermées dans une analyse automatique par arbre de défaillances d'un système à plusieurs composants

Family Applications After (1)

Application Number Title Priority Date Filing Date
EP22701334.9A Pending EP4260152A1 (fr) 2021-01-22 2022-01-13 Procédé et dispositif mis en oeuvre par ordinateur pour résoudre des boucles fermées dans une analyse automatique par arbre de défaillances d'un système à plusieurs composants

Country Status (4)

Country Link
US (1) US20240118686A1 (fr)
EP (2) EP4033319A1 (fr)
CN (1) CN116802578A (fr)
WO (1) WO2022157062A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0579074A1 (fr) 1992-07-06 1994-01-19 Miele & Cie. GmbH & Co. Four de cuisson à ventilateur de refroidissement et/ou à ventilateur à air chaud
EP3579074A1 (fr) * 2018-06-07 2019-12-11 Siemens Aktiengesellschaft Procédé mis en uvre par ordinateur et dispositif de résolution de boucles fermées en analyse arborescente automatique des défaillances d'un système à plusieurs composants

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0579074A1 (fr) 1992-07-06 1994-01-19 Miele & Cie. GmbH & Co. Four de cuisson à ventilateur de refroidissement et/ou à ventilateur à air chaud
EP3579074A1 (fr) * 2018-06-07 2019-12-11 Siemens Aktiengesellschaft Procédé mis en uvre par ordinateur et dispositif de résolution de boucles fermées en analyse arborescente automatique des défaillances d'un système à plusieurs composants

Non-Patent Citations (9)

* Cited by examiner, † Cited by third party
Title
"Analysis Techniques for System Reliability - Procedure for Failure Mode and Effects Analysis (FMEA", IEC 60812, 1991
CUENOT ET AL.: "Proposal for extension of meta-model for error failure and propagation analysis", SAFE AUTOMOTIVE SOFTWARE ARCHITECTURE (SAFE), AN ITEA2 PROJECT, 2013
HOFIG ET AL.: "Streamlining Architectures for Integrated Safety Analysis Using Design Structure Matrices (DSMS", SAFETY AND RELIABILITY: METHODOLOGY AND APPLICATIONS, 2014
INTERNATIONAL ELECTROTECHNICAL COMMISSION (IEC, FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLE ELECTRONIC SAFETY-RELATED SYSTEMS, vol. 61508, 1998
KAISER ET AL.: "A new component concept for FTs", PROCEEDINGS OF THE 8TH AUSTRALIAN WORKSHOP ON SAFETY CRITICAL SYSTEMS AND SOFTWARE, vol. 33, 2003, pages 37 - 46
LIM ET AL.: "Systematic Treatment of Circular Logics in a Fault Tree Analysis", NUCLEAR ENGINEERING AND DESIGN, vol. 245, 2012, pages 172 - 179, XP028905343, DOI: 10.1016/j.nucengdes.2011.12.016
VAURIO ET AL.: "A Recursive Method for Breaking Complex Logic Loops in Boolean System Models", RELIABILITY ENGINEERING & SYSTEM SAFETY, vol. 92, no. 10, 2007, pages 1473 - 1475, XP022119094, DOI: 10.1016/j.ress.2006.09.020
VESELY ET AL.: "Fault Tree Handbook", 1981, US NUCLEAR REGULATORY COMMISSION
YANG ET AL.: "Analytic Method to Break Logical Loops Automatically in PSA", RELIABILITY ENGINEERING & SYSTEM SAFETY, vol. 56, no. 2, 1997, pages 101 - 105

Also Published As

Publication number Publication date
CN116802578A (zh) 2023-09-22
WO2022157062A1 (fr) 2022-07-28
US20240118686A1 (en) 2024-04-11
EP4260152A1 (fr) 2023-10-18

Similar Documents

Publication Publication Date Title
Bolbot et al. Vulnerabilities and safety assurance methods in Cyber-Physical Systems: A comprehensive review
US11853048B2 (en) Control method and device that resolves closed loops in automatic fault tree analysis of a multi-component system
EP3270249B1 (fr) Procédé et appareil pour une génération informatique d'arbres de défaillance de composant
Johnson Improving automation software dependability: A role for formal methods?
EP3867719B1 (fr) Procédé mis en oeuvre par ordinateur pour générer une arborescence de défaillances à couches mixtes d'un système à plusieurs composants combinant différentes couches d'abstraction
US11144379B2 (en) Ring-closures in fault trees
Peleska et al. Model-based testing for avionic systems proven benefits and further challenges
Noll Safety, dependability and performance analysis of aerospace systems
Daskaya et al. Formal safety analysis in industrial practice
EP4033319A1 (fr) Procédé mis en uvre par ordinateur et dispositif de résolution de boucles fermées en analyse arborescente automatique des défaillances d'un système à plusieurs composants
Medikonda et al. A framework for software safety in safety-critical systems
Bruintjes et al. A statistical approach for timed reachability in AADL models
Zeller et al. Combination of component fault trees and Markov chains to analyze complex, software-controlled systems
CN112204485B (zh) 用于解决多部件系统的自动故障树分析中的闭环的计算机实现的方法和设备
Verhulst et al. Antifragility: systems engineering at its best
Ravikumar et al. A Survey on different software safety hazard analysis and techniques in safety critical systems
EP3969974B1 (fr) Fermeture de boucles dans des arbres de défaut et représentation normalisée
Kharchenko et al. Modelling and safety assessment of programmable platform based information and control systems considering hidden physical and design faults
Gleirscher Supervision of Intelligent Systems: An Overview
Huhn et al. Observations on formal safety analysis in practice
Bsiss et al. Functional Safety of FPGA Fuzzy Logic Controller
Nagy et al. Simulation-based Safety Assessment of High-level Reliability Models
Singh et al. Unified Functional Safety Framework for advance multi-domain SoCs combining ISO 26262 & IEC61508
Wu et al. Accident rehearsal method based on functional model checking
Gautham Multilevel Runtime Verification for Safety and Security Critical Cyber Physical Systems from a Model Based Engineering Perspective

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20230128